Membership Inference Attack (MIA) identifies whether a record exists in a machine learning model's training set by querying the model. MIAs on the classic classification models have been well-studied, and recent works have started to explore how to transplant MIA onto generative models. Our investigation indicates that existing MIAs designed for generative models mainly depend on the overfitting in target models. However, overfitting can be avoided by employing various regularization techniques, whereas existing MIAs demonstrate poor performance in practice. Unlike overfitting, memorization is essential for deep learning models to attain optimal performance, making it a more prevalent phenomenon. Memorization in generative models leads to an increasing trend in the probability distribution of generating records around the member record. Therefore, we propose a Probabilistic Fluctuation Assessing Membership Inference Attack (PFAMI), a black-box MIA that infers memberships by detecting these trends via analyzing the overall probabilistic fluctuations around given records. We conduct extensive experiments across multiple generative models and datasets, which demonstrate PFAMI can improve the attack success rate (ASR) by about 27.9% when compared with the best baseline.

翻译：成员推断攻击（Membership Inference Attack, MIA）通过查询模型来判定某个记录是否存在于机器学习模型的训练集中。针对经典分类模型的MIA已被广泛研究，而近期工作开始探索如何将MIA移植至生成模型。我们的研究表明，现有针对生成模型的MIA主要依赖目标模型的过拟合现象。然而，过拟合可通过采用多种正则化技术加以避免，导致现有MIA在实际场景中表现欠佳。与过拟合不同，记忆化（memorization）是深度学习模型达到最优性能所必需的特性，使其成为更为普遍的现象。生成模型中的记忆化会导致成员记录周围的生成概率分布呈现递增趋势。基于此，我们提出基于概率波动评估的成员推断攻击（Probabilistic Fluctuation Assessing Membership Inference Attack, PFAMI），这是一种黑盒MIA方法，通过分析给定记录周围的整体概率波动来检测这些趋势，进而推断成员关系。我们在多种生成模型和数据集上进行了广泛实验，结果表明，与最优基线方法相比，PFAMI可将攻击成功率（Attack Success Rate, ASR）提升约27.9%。